mydoom | 48e8b665ecbc3a89d6098f81916d1e07c1228ecca4b41b86a5e3ba9bceefe233

General

Target

JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe
Size

28KB
MD5

7309961ec4b5d19f747d2ebefc2f4d80
SHA1

0d3ed220aae7096c4cb912650fedf7b7977d7e07
SHA256

48e8b665ecbc3a89d6098f81916d1e07c1228ecca4b41b86a5e3ba9bceefe233
SHA512

01e7fbe41f7f93d7bb0437fff8a85d2c75fb09f70ebb016b57b41cd5398690e1a4b9884474b44c37573a504ca4a1a332fbb6a58766591285708e6c12a4b0f08c
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNMs6Qq:Dv8IRRdsxq1DjJcqfJ

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/844-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/844-44-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/844-49-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/844-215-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/844-219-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/844-226-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/844-259-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
384	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/844-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000c000000023f87-4.dat	upx
behavioral2/memory/384-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/844-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/844-44-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/844-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000800000002409a-55.dat	upx
behavioral2/memory/844-215-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-216-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/844-219-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-220-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/384-225-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/844-226-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-227-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/844-259-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/384-260-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe
File created	C:\Windows\java.exe	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 384	844	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe	84
PID 844 wrote to memory of 384	844	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe	84
PID 844 wrote to memory of 384	844	JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7309961ec4b5d19f747d2ebefc2f4d80.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\28X5YDPF\WPLFLYL7.htm

Filesize
153KB

MD5
68ab6727bc4f8a3ee726d0c1fc3c1070

SHA1
5a8be08c64c6532b664bd1d8872b23e2e7abb3a1

SHA256
7005188da2bc8e2ee8fa53052858fc218ebd57e0f4da587cad76b746b68eaec2

SHA512
38f8f83078c670c5399e6760cdbb30667a62dc984dad6ff3a0efac60e0812eee1dd4666b41450f4610cc28274ae09d6c0e2249b26b963050d01fdba9c85610a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\28X5YDPF\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6B2.tmp

Filesize
28KB

MD5
947bd89d2b502ba46c537fa2533eab33

SHA1
cc5577185700e11e0e927931833b1992700c6367

SHA256
e8926d239abb403d34fc39d3f7eea2eab9296cc23229b42533b3294fbb281b3c

SHA512
9989e6e2a289657ee75ba134f358edb69610b35a7a09352bd986c3c487ec69b8a7b004cd7ddf3c146cfaa6d15d2569d30724bbc778d5f7085c8d628d929040fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
705e7d78d4aa54b59a088e229032c8b4

SHA1
d0a768f91d36a29f368b174ec559bc9924f6f281

SHA256
eac9996b97a9c6bdc8d436c5ce75b5f41628b07796dff54d233e53e0b79daeb6

SHA512
60755543db2e4d4495b7ab58e9de8e9c2c3d5d7d1e841479e828ad2a23218772a0623edf8429e2aa5ade427b43342042ecaa813b88cf903e0da33d2adbec76fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
214a21fb47e11cee3f252c0c133076df

SHA1
a7f4df094ebc706efc070428c8687db711593a13

SHA256
0c1eb4c7b3516f133d761b998ad1d17822a528df6757c37770b47818224d3c4f

SHA512
d11363783a9595159639fda9251b48302da6f07d0e1c3d49203e49c8cd0afb1e2d5a8221e2746627e27a9384b623e0c5362d416ec9bc34347d743b9419e3cf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
eabcb695782f58bb380fc198d4ba0249

SHA1
339b8a777b4fb4d07410fd067380f80e9684561f

SHA256
7b2dd138670548c76f847ca3f48fee335465f079245212a8fa2c7dedffc04d74

SHA512
29fc1ebaac7f02f1a5efa08adcf0622973c8dd8d165b0c9084ab9924a764b25a9a39e5e5ae545f51e62f252efad046b98e45d3f95bedc16d36ef4870e959ecdb

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/384-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-260-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/384-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/844-219-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-215-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-226-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-259-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/844-44-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads